Wheeler Floats FCC Cybersecurity Certification for IoT Devices

Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the FCC could directly regulate the security of internet-connected devices.

In a letter to Sen. Mark Warner (D-Va.) dated Dec. 2 and released by Warner on Monday, Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. The proposal would also require consumer cybersecurity labels for IoT devices and associated services.

Wheeler is set to step down as chairman on Jan. 20, but the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.

Wheeler’s letter responded to a set of questions that Warner sent to the FCC four days after an Oct. 21 cyberattack directed through IoT devices knocked popular websites offline for several hours. He said in Friday’s letter that he shares Warner’s concern “that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities.”

In addition to public-private partnerships and interagency cooperation, Wheeler said FCC regulations could also play a role.

The letter marks a shift in perspective from the days immediately following the Oct. 21 cyberattack, when an FCC official said there was little appetite at the agency for increased regulations mandating stricter network security protocols for internet service providers.

Wheeler now seems to be moving the regulatory target to the IoT devices themselves. The FCC already imposes a certification process on all devices that emit or receive spectrum to ensure they don’t interfere with radio communications.

“Equipment authorization is a critical element of the FCC’s regulatory structure to maintain the integrity and usability of spectrum,” Wheeler explained in an outline of a proposed regulatory structure that accompanied the letter to Warner.

Berin Szoka, president of the limited-government group TechFreedom, said Wheeler may be looking at the FCC’s existing certification authority “as a hook for regulating the security of the devices.” But Szoka said that would vastly overstep the commission’s regulatory authority.

An FCC official told Morning Consult on Monday that the proposals floated in Wheeler’s letter would likely require an expansion of the agency’s device certification process to include cybersecurity. “It seems to be a very aggressive take on cybersecurity from the perspective of the FCC’s jurisdiction,” the official said.

It’s highly unlikely that Wheeler himself will be able to issue a proposed rule to expand the FCC’s certification authority, mainly because he’s required to step down as chairman when President-elect Donald Trump takes office.

The FCC official noted that the language in the letter was “wishy-washy” and said the proposal to directly regulate IoT devices is simply demarcating the outer limits of the agency’s authority.

Warner — whose Oct. 25 letter focused on steps the FCC could take to regulate the internet service providers that connect to IoT devices — said he was pleased with Wheeler’s answer.

“The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” Warner said in a statement Monday. “Similarly, the FCC’s suggestion of consumer labeling requirements echoes the call by many security experts for metrics that will empower and educate consumers.”